docs: add Gemini 2.5 Flash Image Preview model to README

- Added new "Gemini 2.5 Flash Image Preview" model definition, with enhanced image generation capabilities.
- Increased scanner buffer size to 20,971,520 bytes across executors and translators to handle larger payloads.

MANAGEMENT_API.md

@@ -663,6 +663,17 @@ These endpoints initiate provider login flows and return a URL to open in a brow
     { "status": "ok", "url": "https://..." }
     ```
 
+- GET `/iflow-auth-url` — Start iFlow login
+  - Request:
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      http://localhost:8317/v0/management/iflow-auth-url
+    ```
+  - Response:
+    ```json
+    { "status": "ok", "url": "https://..." }
+    ```
+
 - GET `/get-auth-status?state=<state>` — Poll OAuth flow status
   - Request:
     ```bash

MANAGEMENT_API_CN.md

@@ -663,6 +663,17 @@
     { "status": "ok", "url": "https://..." }
     ```
 
+- GET `/iflow-auth-url` — 开始 iFlow 登录
+  - 请求：
+    ```bash
+    curl -H 'Authorization: Bearer <MANAGEMENT_KEY>' \
+      http://localhost:8317/v0/management/iflow-auth-url
+    ```
+  - 响应：
+    ```json
+    { "status": "ok", "url": "https://..." }
+    ```
+
 - GET `/get-auth-status?state=<state>` — 轮询 OAuth 流程状态
   - 请求：
     ```bash

README.md

@@ -8,7 +8,7 @@ It now also supports OpenAI Codex (GPT models) and Claude Code via OAuth.
 
 So you can use local or multi-account CLI access with OpenAI(include Responses)/Gemini/Claude-compatible clients and SDKs.
 
-The first Chinese provider has now been added: [Qwen Code](https://github.com/QwenLM/qwen-code).
+Chinese providers have now been added: [Qwen Code](https://github.com/QwenLM/qwen-code), [iFlow](https://iflow.cn/).
 
 ## Features
 
@@ -16,19 +16,21 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 - OpenAI Codex support (GPT models) via OAuth login
 - Claude Code support via OAuth login
 - Qwen Code support via OAuth login
+- iFlow support via OAuth login
 - Gemini Web support via cookie-based login
 - Streaming and non-streaming responses
 - Function calling/tools support
 - Multimodal input support (text and images)
-- Multiple accounts with round-robin load balancing (Gemini, OpenAI, Claude and Qwen)
+- Multiple accounts with round-robin load balancing (Gemini, OpenAI, Claude, Qwen and iFlow)
-- Simple CLI authentication flows (Gemini, OpenAI, Claude and Qwen)
+- Simple CLI authentication flows (Gemini, OpenAI, Claude, Qwen and iFlow)
 - Generative Language API Key support
 - Gemini CLI multi-account load balancing
 - Claude Code multi-account load balancing
 - Qwen Code multi-account load balancing
+- iFlow multi-account load balancing
 - OpenAI Codex multi-account load balancing
 - OpenAI-compatible upstream providers via config (e.g., OpenRouter)
-- Reusable Go SDK for embedding the proxy (see `docs/sdk-usage.md`, 中文: `docs/sdk-usage_CN.md`)
+- Reusable Go SDK for embedding the proxy (see `docs/sdk-usage.md`)
 
 ## Installation
 
@@ -39,6 +41,7 @@ The first Chinese provider has now been added: [Qwen Code](https://github.com/Qw
 - An OpenAI account for Codex/GPT access (optional)
 - An Anthropic account for Claude Code access (optional)
 - A Qwen Chat account for Qwen Code access (optional)
+- An iFlow account for iFlow access (optional)
 
 ### Building from Source
 
@@ -76,7 +79,7 @@ Set `remote-management.disable-control-panel` to `true` if you prefer to host th
 
 ### Authentication
 
-You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the same `auth-dir` and will be load balanced.
+You can authenticate for Gemini, OpenAI, Claude, Qwen, and/or iFlow. All can coexist in the same `auth-dir` and will be load balanced.
 
 - Gemini (Google):
   ```bash
@@ -115,6 +118,12 @@ You can authenticate for Gemini, OpenAI, and/or Claude. All can coexist in the s
   ```
   Options: add `--no-browser` to print the login URL instead of opening a browser. Use the Qwen Chat's OAuth device flow.
 
+- iFlow (iFlow via OAuth):
+  ```bash
+  ./cli-proxy-api --iflow-login
+  ```
+  Options: add `--no-browser` to print the login URL instead of opening a browser. The local OAuth callback uses port `11451`.
+
 
 ### Starting the Server
 
@@ -156,7 +165,7 @@ Request body example:
 ```
 
 Notes:
-- Use a `gemini-*` model for Gemini (e.g., "gemini-2.5-pro"), a `gpt-*` model for OpenAI (e.g., "gpt-5"), a `claude-*` model for Claude (e.g., "claude-3-5-sonnet-20241022"), or a `qwen-*` model for Qwen (e.g., "qwen3-coder-plus"). The proxy will route to the correct provider automatically.
+- Use a `gemini-*` model for Gemini (e.g., "gemini-2.5-pro"), a `gpt-*` model for OpenAI (e.g., "gpt-5"), a `claude-*` model for Claude (e.g., "claude-3-5-sonnet-20241022"), a `qwen-*` model for Qwen (e.g., "qwen3-coder-plus"), or an iFlow-supported model (e.g., "tstars2.0", "deepseek-v3.1", "kimi-k2", etc.). The proxy will route to the correct provider automatically.
 
 #### Claude Messages (SSE-compatible)
 
@@ -249,6 +258,7 @@ console.log(await claudeResponse.json());
 - gemini-2.5-pro
 - gemini-2.5-flash
 - gemini-2.5-flash-lite
+- gemini-2.5-flash-image-preview
 - gpt-5
 - gpt-5-codex
 - claude-opus-4-1-20250805
@@ -259,6 +269,16 @@ console.log(await claudeResponse.json());
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
 - qwen3-coder-flash
+- qwen3-max
+- qwen3-vl-plus
+- deepseek-v3.2
+- deepseek-v3.1
+- deepseek-r1
+- deepseek-v3
+- kimi-k2
+- glm-4.5
+- tstars2.0
+- And other iFlow-supported models
 - Gemini models auto-switch to preview variants when needed
 
 ## Configuration
@@ -532,6 +552,14 @@ export ANTHROPIC_MODEL=qwen3-coder-plus
 export ANTHROPIC_SMALL_FAST_MODEL=qwen3-coder-flash
 ```
 
+Using iFlow models:
+```bash
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8317
+export ANTHROPIC_AUTH_TOKEN=sk-dummy
+export ANTHROPIC_MODEL=qwen3-max
+export ANTHROPIC_SMALL_FAST_MODEL=qwen3-235b-a22b-instruct
+```
+
 ## Codex with multiple account load balancing
 
 Start CLI Proxy API server, and then edit the `~/.codex/config.toml` and `~/.codex/auth.json` files.
@@ -587,6 +615,12 @@ Run the following command to login (Qwen OAuth):
 docker run -it -rm -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --qwen-login
 ```
 
+Run the following command to login (iFlow OAuth on port 11451):
+
+```bash
+docker run --rm -p 11451:11451 -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --iflow-login
+```
+
 Run the following command to start the server:
 
 ```bash
@@ -649,6 +683,10 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
     ```bash
     docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --qwen-login
     ```
+    - **iFlow**:
+    ```bash
+    docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --iflow-login
+    ```
 
 5.  To view the server logs:
     ```bash

README_CN.md

@@ -28,7 +28,7 @@
 
 您可以使用本地或多账户的CLI方式，通过任何与 OpenAI（包括Responses）/Gemini/Claude 兼容的客户端和SDK进行访问。
 
-现已新增首个中国提供商：[Qwen Code](https://github.com/QwenLM/qwen-code)。
+现已新增国内提供商：[Qwen Code](https://github.com/QwenLM/qwen-code)、[iFlow](https://iflow.cn/)。
 
 ## 功能特性
 
@@ -36,19 +36,21 @@
 - 新增 OpenAI Codex（GPT 系列）支持（OAuth 登录）
 - 新增 Claude Code 支持（OAuth 登录）
 - 新增 Qwen Code 支持（OAuth 登录）
+- 新增 iFlow 支持（OAuth 登录）
 - 新增 Gemini Web 支持（通过 Cookie 登录）
 - 支持流式与非流式响应
 - 函数调用/工具支持
 - 多模态输入（文本、图片）
-- 多账户支持与轮询负载均衡（Gemini、OpenAI、Claude 与 Qwen）
+- 多账户支持与轮询负载均衡（Gemini、OpenAI、Claude、Qwen 与 iFlow）
-- 简单的 CLI 身份验证流程（Gemini、OpenAI、Claude 与 Qwen）
+- 简单的 CLI 身份验证流程（Gemini、OpenAI、Claude、Qwen 与 iFlow）
 - 支持 Gemini AIStudio API 密钥
 - 支持 Gemini CLI 多账户轮询
 - 支持 Claude Code 多账户轮询
 - 支持 Qwen Code 多账户轮询
+- 支持 iFlow 多账户轮询
 - 支持 OpenAI Codex 多账户轮询
 - 通过配置接入上游 OpenAI 兼容提供商（例如 OpenRouter）
-- 可复用的 Go SDK（见 `docs/sdk-usage.md`）
+- 可复用的 Go SDK（见 `docs/sdk-usage_CN.md`）
 
 ## 安装
 
@@ -59,6 +61,7 @@
 - 有权访问 OpenAI Codex/GPT 的 OpenAI 账户（可选）
 - 有权访问 Claude Code 的 Anthropic 账户（可选）
 - 有权访问 Qwen Code 的 Qwen Chat 账户（可选）
+- 有权访问 iFlow 的 iFlow 账户（可选）
 
 ### 从源码构建
 
@@ -89,7 +92,7 @@ CLIProxyAPI 的基于 Web 的管理中心。
 
 ### 身份验证
 
-您可以分别为 Gemini、OpenAI 和 Claude 进行身份验证，三者可同时存在于同一个 `auth-dir` 中并参与负载均衡。
+您可以分别为 Gemini、OpenAI、Claude、Qwen 和 iFlow 进行身份验证，它们可同时存在于同一个 `auth-dir` 中并参与负载均衡。
 
 - Gemini（Google）：
   ```bash
@@ -128,6 +131,12 @@ CLIProxyAPI 的基于 Web 的管理中心。
   ```
   选项：加上 `--no-browser` 可打印登录地址而不自动打开浏览器。使用 Qwen Chat 的 OAuth 设备登录流程。
 
+- iFlow（iFlow，OAuth）：
+  ```bash
+  ./cli-proxy-api --iflow-login
+  ```
+  选项：加上 `--no-browser` 可打印登录地址而不自动打开浏览器。本地 OAuth 回调端口为 `11451`。
+
 ### 启动服务器
 
 身份验证完成后，启动服务器：
@@ -168,7 +177,7 @@ POST http://localhost:8317/v1/chat/completions
 ```
 
 说明：
-- 使用 "gemini-*" 模型（例如 "gemini-2.5-pro"）来调用 Gemini，使用 "gpt-*" 模型（例如 "gpt-5"）来调用 OpenAI，使用 "claude-*" 模型（例如 "claude-3-5-sonnet-20241022"）来调用 Claude，或者使用 "qwen-*" 模型（例如 "qwen3-coder-plus"）来调用 Qwen。代理服务会自动将请求路由到相应的提供商。
+- 使用 "gemini-*" 模型（例如 "gemini-2.5-pro"）来调用 Gemini，使用 "gpt-*" 模型（例如 "gpt-5"）来调用 OpenAI，使用 "claude-*" 模型（例如 "claude-3-5-sonnet-20241022"）来调用 Claude，使用 "qwen-*" 模型（例如 "qwen3-coder-plus"）来调用 Qwen，或者使用 iFlow 支持的模型（例如 "tstars2.0"、"deepseek-v3.1"、"kimi-k2" 等）来调用 iFlow。代理服务会自动将请求路由到相应的提供商。
 
 #### Claude 消息（SSE 兼容）
 
@@ -261,6 +270,7 @@ console.log(await claudeResponse.json());
 - gemini-2.5-pro
 - gemini-2.5-flash
 - gemini-2.5-flash-lite
+- gemini-2.5-flash-image-preview
 - gpt-5
 - gpt-5-codex
 - claude-opus-4-1-20250805
@@ -271,6 +281,16 @@ console.log(await claudeResponse.json());
 - claude-3-5-haiku-20241022
 - qwen3-coder-plus
 - qwen3-coder-flash
+- qwen3-max
+- qwen3-vl-plus
+- deepseek-v3.2
+- deepseek-v3.1
+- deepseek-r1
+- deepseek-v3
+- kimi-k2
+- glm-4.5
+- tstars2.0
+- 以及其他 iFlow 支持的模型
 - Gemini 模型在需要时自动切换到对应的 preview 版本
 
 ## 配置
@@ -540,6 +560,14 @@ export ANTHROPIC_MODEL=qwen3-coder-plus
 export ANTHROPIC_SMALL_FAST_MODEL=qwen3-coder-flash
 ```
 
+使用 iFlow 模型：
+```bash
+export ANTHROPIC_BASE_URL=http://127.0.0.1:8317
+export ANTHROPIC_AUTH_TOKEN=sk-dummy
+export ANTHROPIC_MODEL=qwen3-max
+export ANTHROPIC_SMALL_FAST_MODEL=qwen3-235b-a22b-instruct
+```
+
 ## Codex 多账户负载均衡
 
 启动 CLI Proxy API 服务器, 修改 `~/.codex/config.toml` 和 `~/.codex/auth.json` 文件。
@@ -595,6 +623,12 @@ docker run --rm -p 54545:54545 -v /path/to/your/config.yaml:/CLIProxyAPI/config.
 docker run -it -rm -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --qwen-login
 ```
 
+运行以下命令进行登录（iFlow OAuth，端口 11451）：
+
+```bash
+docker run --rm -p 11451:11451 -v /path/to/your/config.yaml:/CLIProxyAPI/config.yaml -v /path/to/your/auth-dir:/root/.cli-proxy-api eceasy/cli-proxy-api:latest /CLIProxyAPI/CLIProxyAPI --iflow-login
+```
+
 
 运行以下命令启动服务器：
 
@@ -658,6 +692,10 @@ docker run --rm -p 8317:8317 -v /path/to/your/config.yaml:/CLIProxyAPI/config.ya
     ```bash
     docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --qwen-login
     ```
+    - **iFlow**:
+    ```bash
+    docker compose exec cli-proxy-api /CLIProxyAPI/CLIProxyAPI -no-browser --iflow-login
+    ```
 
 5.  查看服务器日志：
     ```bash

cmd/server/main.go

@@ -42,6 +42,7 @@ func main() {
 	var codexLogin bool
 	var claudeLogin bool
 	var qwenLogin bool
+	var iflowLogin bool
 	var geminiWebAuth bool
 	var noBrowser bool
 	var projectID string
@@ -53,6 +54,7 @@ func main() {
 	flag.BoolVar(&codexLogin, "codex-login", false, "Login to Codex using OAuth")
 	flag.BoolVar(&claudeLogin, "claude-login", false, "Login to Claude using OAuth")
 	flag.BoolVar(&qwenLogin, "qwen-login", false, "Login to Qwen using OAuth")
+	flag.BoolVar(&iflowLogin, "iflow-login", false, "Login to iFlow using OAuth")
 	flag.BoolVar(&geminiWebAuth, "gemini-web-auth", false, "Auth Gemini Web using cookies")
 	flag.BoolVar(&noBrowser, "no-browser", false, "Don't open browser automatically for OAuth")
 	flag.StringVar(&projectID, "project_id", "", "Project ID (Gemini only, not required)")
@@ -153,6 +155,8 @@ func main() {
 		cmd.DoClaudeLogin(cfg, options)
 	} else if qwenLogin {
 		cmd.DoQwenLogin(cfg, options)
+	} else if iflowLogin {
+		cmd.DoIFlowLogin(cfg, options)
 	} else if geminiWebAuth {
 		cmd.DoGeminiWebAuth(cfg)
 	} else {

docker-compose.yml

@@ -15,6 +15,7 @@ services:
       - "8085:8085"
       - "1455:1455"
       - "54545:54545"
+      - "11451:11451"
     volumes:
       - ./config.yaml:/CLIProxyAPI/config.yaml
       - ./auths:/root/.cli-proxy-api

internal/api/handlers/management/auth_files.go

@@ -1,26 +1,32 @@
 package management
 
 import (
+	"bytes"
 	"context"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/claude"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/codex"
 	geminiAuth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/gemini"
+	iflowauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/qwen"
 	// legacy client removed
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/interfaces"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
 	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
 	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
@@ -37,6 +43,28 @@ var (
 
 var lastRefreshKeys = []string{"last_refresh", "lastRefresh", "last_refreshed_at", "lastRefreshedAt"}
 
+const (
+	anthropicCallbackPort   = 54545
+	geminiCallbackPort      = 8085
+	codexCallbackPort       = 1455
+	geminiCLIEndpoint       = "https://cloudcode-pa.googleapis.com"
+	geminiCLIVersion        = "v1internal"
+	geminiCLIUserAgent      = "google-api-nodejs-client/9.15.1"
+	geminiCLIApiClient      = "gl-node/22.17.0"
+	geminiCLIClientMetadata = "ideType=IDE_UNSPECIFIED,platform=PLATFORM_UNSPECIFIED,pluginType=GEMINI"
+)
+
+type callbackForwarder struct {
+	provider string
+	server   *http.Server
+	done     chan struct{}
+}
+
+var (
+	callbackForwardersMu sync.Mutex
+	callbackForwarders   = make(map[int]*callbackForwarder)
+)
+
 func extractLastRefreshTimestamp(meta map[string]any) (time.Time, bool) {
 	if len(meta) == 0 {
 		return time.Time{}, false
@@ -90,6 +118,120 @@ func parseLastRefreshValue(v any) (time.Time, bool) {
 	return time.Time{}, false
 }
 
+func isWebUIRequest(c *gin.Context) bool {
+	raw := strings.TrimSpace(c.Query("is_webui"))
+	if raw == "" {
+		return false
+	}
+	switch strings.ToLower(raw) {
+	case "1", "true", "yes", "on":
+		return true
+	default:
+		return false
+	}
+}
+
+func startCallbackForwarder(port int, provider, targetBase string) (*callbackForwarder, error) {
+	callbackForwardersMu.Lock()
+	prev := callbackForwarders[port]
+	if prev != nil {
+		delete(callbackForwarders, port)
+	}
+	callbackForwardersMu.Unlock()
+
+	if prev != nil {
+		stopForwarderInstance(port, prev)
+	}
+
+	addr := fmt.Sprintf("127.0.0.1:%d", port)
+	ln, err := net.Listen("tcp", addr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to listen on %s: %w", addr, err)
+	}
+
+	handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		target := targetBase
+		if raw := r.URL.RawQuery; raw != "" {
+			if strings.Contains(target, "?") {
+				target = target + "&" + raw
+			} else {
+				target = target + "?" + raw
+			}
+		}
+		w.Header().Set("Cache-Control", "no-store")
+		http.Redirect(w, r, target, http.StatusFound)
+	})
+
+	srv := &http.Server{
+		Handler:           handler,
+		ReadHeaderTimeout: 5 * time.Second,
+		WriteTimeout:      5 * time.Second,
+	}
+	done := make(chan struct{})
+
+	go func() {
+		if errServe := srv.Serve(ln); errServe != nil && !errors.Is(errServe, http.ErrServerClosed) {
+			log.WithError(errServe).Warnf("callback forwarder for %s stopped unexpectedly", provider)
+		}
+		close(done)
+	}()
+
+	forwarder := &callbackForwarder{
+		provider: provider,
+		server:   srv,
+		done:     done,
+	}
+
+	callbackForwardersMu.Lock()
+	callbackForwarders[port] = forwarder
+	callbackForwardersMu.Unlock()
+
+	log.Infof("callback forwarder for %s listening on %s", provider, addr)
+
+	return forwarder, nil
+}
+
+func stopCallbackForwarder(port int) {
+	callbackForwardersMu.Lock()
+	forwarder := callbackForwarders[port]
+	if forwarder != nil {
+		delete(callbackForwarders, port)
+	}
+	callbackForwardersMu.Unlock()
+
+	stopForwarderInstance(port, forwarder)
+}
+
+func stopForwarderInstance(port int, forwarder *callbackForwarder) {
+	if forwarder == nil || forwarder.server == nil {
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+	defer cancel()
+
+	if err := forwarder.server.Shutdown(ctx); err != nil && !errors.Is(err, http.ErrServerClosed) {
+		log.WithError(err).Warnf("failed to shut down callback forwarder on port %d", port)
+	}
+
+	select {
+	case <-forwarder.done:
+	case <-time.After(2 * time.Second):
+	}
+
+	log.Infof("callback forwarder on port %d stopped", port)
+}
+
+func (h *Handler) managementCallbackURL(path string) (string, error) {
+	if h == nil || h.cfg == nil || h.cfg.Port <= 0 {
+		return "", fmt.Errorf("server port is not configured")
+	}
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+	return fmt.Sprintf("http://127.0.0.1:%d%s", h.cfg.Port, path), nil
+}
+
 // List auth files
 func (h *Handler) ListAuthFiles(c *gin.Context) {
 	entries, err := os.ReadDir(h.cfg.AuthDir)
@@ -389,9 +531,27 @@ func (h *Handler) RequestAnthropicToken(c *gin.Context) {
 		log.Fatalf("Failed to generate authorization URL: %v", err)
 		return
 	}
-	// Override redirect_uri in authorization URL to current server port
+
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/anthropic/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute anthropic callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(anthropicCallbackPort, "anthropic", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start anthropic callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
 
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(anthropicCallbackPort)
+		}
+
 		// Helper: wait for callback file
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-anthropic-%s.oauth", state))
 		waitForFile := func(path string, timeout time.Duration) (map[string]string, error) {
@@ -552,7 +712,26 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 	state := fmt.Sprintf("gem-%d", time.Now().UnixNano())
 	authURL := conf.AuthCodeURL(state, oauth2.AccessTypeOffline, oauth2.SetAuthURLParam("prompt", "consent"))
 
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/google/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute gemini callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(geminiCallbackPort, "gemini", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start gemini callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
+
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(geminiCallbackPort)
+		}
+
 		// Wait for callback file written by server route
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-gemini-%s.oauth", state))
 		fmt.Println("Waiting for authentication callback...")
@@ -592,6 +771,8 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 			return
 		}
 
+		requestedProjectID := strings.TrimSpace(projectID)
+
 		// Create token storage (mirrors internal/auth/gemini createTokenStorage)
 		httpClient := conf.Client(ctx, token)
 		req, errNewRequest := http.NewRequestWithContext(ctx, "GET", "https://www.googleapis.com/oauth2/v1/userinfo?alt=json", nil)
@@ -651,13 +832,14 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 
 		ts := geminiAuth.GeminiTokenStorage{
 			Token:     ifToken,
-			ProjectID: projectID,
+			ProjectID: requestedProjectID,
 			Email:     email,
+			Auto:      requestedProjectID == "",
 		}
 
 		// Initialize authenticated HTTP client via GeminiAuth to honor proxy settings
 		gemAuth := geminiAuth.NewGeminiAuth()
-		_, errGetClient := gemAuth.GetAuthenticatedClient(ctx, &ts, h.cfg, true)
+		gemClient, errGetClient := gemAuth.GetAuthenticatedClient(ctx, &ts, h.cfg, true)
 		if errGetClient != nil {
 			log.Fatalf("failed to get authenticated client: %v", errGetClient)
 			oauthStatus[state] = "Failed to get authenticated client"
@@ -665,15 +847,44 @@ func (h *Handler) RequestGeminiCLIToken(c *gin.Context) {
 		}
 		fmt.Println("Authentication successful.")
 
-		record := &coreauth.Auth{
+		if errEnsure := ensureGeminiProjectAndOnboard(ctx, gemClient, &ts, requestedProjectID); errEnsure != nil {
-			ID:       fmt.Sprintf("gemini-%s.json", ts.Email),
+			log.Errorf("Failed to complete Gemini CLI onboarding: %v", errEnsure)
-			Provider: "gemini",
+			oauthStatus[state] = "Failed to complete Gemini CLI onboarding"
-			FileName: fmt.Sprintf("gemini-%s.json", ts.Email),
+			return
-			Storage:  &ts,
+		}
-			Metadata: map[string]any{
+
+		if strings.TrimSpace(ts.ProjectID) == "" {
+			log.Error("Onboarding did not return a project ID")
+			oauthStatus[state] = "Failed to resolve project ID"
+			return
+		}
+
+		isChecked, errCheck := checkCloudAPIIsEnabled(ctx, gemClient, ts.ProjectID)
+		if errCheck != nil {
+			log.Errorf("Failed to verify Cloud AI API status: %v", errCheck)
+			oauthStatus[state] = "Failed to verify Cloud AI API status"
+			return
+		}
+		ts.Checked = isChecked
+		if !isChecked {
+			log.Error("Cloud AI API is not enabled for the selected project")
+			oauthStatus[state] = "Cloud AI API not enabled"
+			return
+		}
+
+		recordMetadata := map[string]any{
 			"email":      ts.Email,
 			"project_id": ts.ProjectID,
-			},
+			"auto":       ts.Auto,
+			"checked":    ts.Checked,
+		}
+
+		record := &coreauth.Auth{
+			ID:       fmt.Sprintf("gemini-%s-%s.json", ts.Email, ts.ProjectID),
+			Provider: "gemini",
+			FileName: fmt.Sprintf("gemini-%s-%s.json", ts.Email, ts.ProjectID),
+			Storage:  &ts,
+			Metadata: recordMetadata,
 		}
 		savedPath, errSave := h.saveTokenRecord(ctx, record)
 		if errSave != nil {
@@ -778,7 +989,26 @@ func (h *Handler) RequestCodexToken(c *gin.Context) {
 		return
 	}
 
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/codex/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute codex callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(codexCallbackPort, "codex", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start codex callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"error": "failed to start callback server"})
+			return
+		}
+	}
+
 	go func() {
+		if isWebUI {
+			defer stopCallbackForwarder(codexCallbackPort)
+		}
+
 		// Wait for callback file
 		waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-codex-%s.oauth", state))
 		deadline := time.Now().Add(5 * time.Minute)
@@ -958,6 +1188,474 @@ func (h *Handler) RequestQwenToken(c *gin.Context) {
 	c.JSON(200, gin.H{"status": "ok", "url": authURL, "state": state})
 }
 
+func (h *Handler) RequestIFlowToken(c *gin.Context) {
+	ctx := context.Background()
+
+	fmt.Println("Initializing iFlow authentication...")
+
+	state := fmt.Sprintf("ifl-%d", time.Now().UnixNano())
+	authSvc := iflowauth.NewIFlowAuth(h.cfg)
+	authURL, redirectURI := authSvc.AuthorizationURL(state, iflowauth.CallbackPort)
+
+	isWebUI := isWebUIRequest(c)
+	if isWebUI {
+		targetURL, errTarget := h.managementCallbackURL("/iflow/callback")
+		if errTarget != nil {
+			log.WithError(errTarget).Error("failed to compute iflow callback target")
+			c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "callback server unavailable"})
+			return
+		}
+		if _, errStart := startCallbackForwarder(iflowauth.CallbackPort, "iflow", targetURL); errStart != nil {
+			log.WithError(errStart).Error("failed to start iflow callback forwarder")
+			c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "failed to start callback server"})
+			return
+		}
+
+		go func() {
+			defer stopCallbackForwarder(iflowauth.CallbackPort)
+			fmt.Println("Waiting for authentication...")
+
+			waitFile := filepath.Join(h.cfg.AuthDir, fmt.Sprintf(".oauth-iflow-%s.oauth", state))
+			deadline := time.Now().Add(5 * time.Minute)
+			var resultMap map[string]string
+			for {
+				if time.Now().After(deadline) {
+					oauthStatus[state] = "Authentication failed"
+					fmt.Println("Authentication failed: timeout waiting for callback")
+					return
+				}
+				if data, errR := os.ReadFile(waitFile); errR == nil {
+					_ = os.Remove(waitFile)
+					_ = json.Unmarshal(data, &resultMap)
+					break
+				}
+				time.Sleep(500 * time.Millisecond)
+			}
+
+			if errStr := strings.TrimSpace(resultMap["error"]); errStr != "" {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Printf("Authentication failed: %s\n", errStr)
+				return
+			}
+			if resultState := strings.TrimSpace(resultMap["state"]); resultState != state {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Println("Authentication failed: state mismatch")
+				return
+			}
+
+			code := strings.TrimSpace(resultMap["code"])
+			if code == "" {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Println("Authentication failed: code missing")
+				return
+			}
+
+			tokenData, errExchange := authSvc.ExchangeCodeForTokens(ctx, code, redirectURI)
+			if errExchange != nil {
+				oauthStatus[state] = "Authentication failed"
+				fmt.Printf("Authentication failed: %v\n", errExchange)
+				return
+			}
+
+			tokenStorage := authSvc.CreateTokenStorage(tokenData)
+			identifier := strings.TrimSpace(tokenStorage.Email)
+			if identifier == "" {
+				identifier = fmt.Sprintf("iflow-%d", time.Now().UnixMilli())
+				tokenStorage.Email = identifier
+			}
+			record := &coreauth.Auth{
+				ID:         fmt.Sprintf("iflow-%s.json", identifier),
+				Provider:   "iflow",
+				FileName:   fmt.Sprintf("iflow-%s.json", identifier),
+				Storage:    tokenStorage,
+				Metadata:   map[string]any{"email": identifier, "api_key": tokenStorage.APIKey},
+				Attributes: map[string]string{"api_key": tokenStorage.APIKey},
+			}
+
+			savedPath, errSave := h.saveTokenRecord(ctx, record)
+			if errSave != nil {
+				oauthStatus[state] = "Failed to save authentication tokens"
+				log.Fatalf("Failed to save authentication tokens: %v", errSave)
+				return
+			}
+
+			fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+			if tokenStorage.APIKey != "" {
+				fmt.Println("API key obtained and saved")
+			}
+			fmt.Println("You can now use iFlow services through this CLI")
+			delete(oauthStatus, state)
+		}()
+
+		oauthStatus[state] = ""
+		c.JSON(http.StatusOK, gin.H{"status": "ok", "url": authURL, "state": state})
+		return
+	}
+
+	oauthServer := iflowauth.NewOAuthServer(iflowauth.CallbackPort)
+	if err := oauthServer.Start(); err != nil {
+		oauthStatus[state] = "Failed to start authentication server"
+		log.Errorf("Failed to start iFlow OAuth server: %v", err)
+		c.JSON(http.StatusInternalServerError, gin.H{"status": "error", "error": "failed to start local oauth server"})
+		return
+	}
+
+	go func() {
+		fmt.Println("Waiting for authentication...")
+		defer func() {
+			stopCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+			defer cancel()
+			if err := oauthServer.Stop(stopCtx); err != nil {
+				log.Warnf("Failed to stop iFlow OAuth server: %v", err)
+			}
+		}()
+
+		result, err := oauthServer.WaitForCallback(5 * time.Minute)
+		if err != nil {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %v\n", err)
+			return
+		}
+
+		if result.Error != "" {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %s\n", result.Error)
+			return
+		}
+
+		if result.State != state {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Println("Authentication failed: state mismatch")
+			return
+		}
+
+		tokenData, errExchange := authSvc.ExchangeCodeForTokens(ctx, result.Code, redirectURI)
+		if errExchange != nil {
+			oauthStatus[state] = "Authentication failed"
+			fmt.Printf("Authentication failed: %v\n", errExchange)
+			return
+		}
+
+		tokenStorage := authSvc.CreateTokenStorage(tokenData)
+		identifier := strings.TrimSpace(tokenStorage.Email)
+		if identifier == "" {
+			identifier = fmt.Sprintf("iflow-%d", time.Now().UnixMilli())
+			tokenStorage.Email = identifier
+		}
+		record := &coreauth.Auth{
+			ID:         fmt.Sprintf("iflow-%s.json", identifier),
+			Provider:   "iflow",
+			FileName:   fmt.Sprintf("iflow-%s.json", identifier),
+			Storage:    tokenStorage,
+			Metadata:   map[string]any{"email": identifier, "api_key": tokenStorage.APIKey},
+			Attributes: map[string]string{"api_key": tokenStorage.APIKey},
+		}
+
+		savedPath, errSave := h.saveTokenRecord(ctx, record)
+		if errSave != nil {
+			oauthStatus[state] = "Failed to save authentication tokens"
+			log.Fatalf("Failed to save authentication tokens: %v", errSave)
+			return
+		}
+
+		fmt.Printf("Authentication successful! Token saved to %s\n", savedPath)
+		if tokenStorage.APIKey != "" {
+			fmt.Println("API key obtained and saved")
+		}
+		fmt.Println("You can now use iFlow services through this CLI")
+		delete(oauthStatus, state)
+	}()
+
+	oauthStatus[state] = ""
+	c.JSON(http.StatusOK, gin.H{"status": "ok", "url": authURL, "state": state})
+}
+
+type projectSelectionRequiredError struct{}
+
+func (e *projectSelectionRequiredError) Error() string {
+	return "gemini cli: project selection required"
+}
+
+func ensureGeminiProjectAndOnboard(ctx context.Context, httpClient *http.Client, storage *geminiAuth.GeminiTokenStorage, requestedProject string) error {
+	if storage == nil {
+		return fmt.Errorf("gemini storage is nil")
+	}
+
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	if trimmedRequest == "" {
+		projects, errProjects := fetchGCPProjects(ctx, httpClient)
+		if errProjects != nil {
+			return fmt.Errorf("fetch project list: %w", errProjects)
+		}
+		if len(projects) == 0 {
+			return fmt.Errorf("no Google Cloud projects available for this account")
+		}
+		trimmedRequest = strings.TrimSpace(projects[0].ProjectID)
+		if trimmedRequest == "" {
+			return fmt.Errorf("resolved project id is empty")
+		}
+		storage.Auto = true
+	} else {
+		storage.Auto = false
+	}
+
+	if err := performGeminiCLISetup(ctx, httpClient, storage, trimmedRequest); err != nil {
+		return err
+	}
+
+	if strings.TrimSpace(storage.ProjectID) == "" {
+		storage.ProjectID = trimmedRequest
+	}
+
+	return nil
+}
+
+func performGeminiCLISetup(ctx context.Context, httpClient *http.Client, storage *geminiAuth.GeminiTokenStorage, requestedProject string) error {
+	metadata := map[string]string{
+		"ideType":    "IDE_UNSPECIFIED",
+		"platform":   "PLATFORM_UNSPECIFIED",
+		"pluginType": "GEMINI",
+	}
+
+	trimmedRequest := strings.TrimSpace(requestedProject)
+	explicitProject := trimmedRequest != ""
+
+	loadReqBody := map[string]any{
+		"metadata": metadata,
+	}
+	if explicitProject {
+		loadReqBody["cloudaicompanionProject"] = trimmedRequest
+	}
+
+	var loadResp map[string]any
+	if errLoad := callGeminiCLI(ctx, httpClient, "loadCodeAssist", loadReqBody, &loadResp); errLoad != nil {
+		return fmt.Errorf("load code assist: %w", errLoad)
+	}
+
+	tierID := "legacy-tier"
+	if tiers, okTiers := loadResp["allowedTiers"].([]any); okTiers {
+		for _, rawTier := range tiers {
+			tier, okTier := rawTier.(map[string]any)
+			if !okTier {
+				continue
+			}
+			if isDefault, okDefault := tier["isDefault"].(bool); okDefault && isDefault {
+				if id, okID := tier["id"].(string); okID && strings.TrimSpace(id) != "" {
+					tierID = strings.TrimSpace(id)
+					break
+				}
+			}
+		}
+	}
+
+	projectID := trimmedRequest
+	if projectID == "" {
+		if id, okProject := loadResp["cloudaicompanionProject"].(string); okProject {
+			projectID = strings.TrimSpace(id)
+		}
+		if projectID == "" {
+			if projectMap, okProject := loadResp["cloudaicompanionProject"].(map[string]any); okProject {
+				if id, okID := projectMap["id"].(string); okID {
+					projectID = strings.TrimSpace(id)
+				}
+			}
+		}
+	}
+	if projectID == "" {
+		return &projectSelectionRequiredError{}
+	}
+
+	onboardReqBody := map[string]any{
+		"tierId":                  tierID,
+		"metadata":                metadata,
+		"cloudaicompanionProject": projectID,
+	}
+
+	storage.ProjectID = projectID
+
+	for {
+		var onboardResp map[string]any
+		if errOnboard := callGeminiCLI(ctx, httpClient, "onboardUser", onboardReqBody, &onboardResp); errOnboard != nil {
+			return fmt.Errorf("onboard user: %w", errOnboard)
+		}
+
+		if done, okDone := onboardResp["done"].(bool); okDone && done {
+			responseProjectID := ""
+			if resp, okResp := onboardResp["response"].(map[string]any); okResp {
+				switch projectValue := resp["cloudaicompanionProject"].(type) {
+				case map[string]any:
+					if id, okID := projectValue["id"].(string); okID {
+						responseProjectID = strings.TrimSpace(id)
+					}
+				case string:
+					responseProjectID = strings.TrimSpace(projectValue)
+				}
+			}
+
+			finalProjectID := projectID
+			if responseProjectID != "" {
+				if explicitProject && !strings.EqualFold(responseProjectID, projectID) {
+					log.Warnf("Gemini onboarding returned project %s instead of requested %s; keeping requested project ID.", responseProjectID, projectID)
+				} else {
+					finalProjectID = responseProjectID
+				}
+			}
+
+			storage.ProjectID = strings.TrimSpace(finalProjectID)
+			if storage.ProjectID == "" {
+				storage.ProjectID = strings.TrimSpace(projectID)
+			}
+			if storage.ProjectID == "" {
+				return fmt.Errorf("onboard user completed without project id")
+			}
+			log.Infof("Onboarding complete. Using Project ID: %s", storage.ProjectID)
+			return nil
+		}
+
+		log.Println("Onboarding in progress, waiting 5 seconds...")
+		time.Sleep(5 * time.Second)
+	}
+}
+
+func callGeminiCLI(ctx context.Context, httpClient *http.Client, endpoint string, body any, result any) error {
+	endPointURL := fmt.Sprintf("%s/%s:%s", geminiCLIEndpoint, geminiCLIVersion, endpoint)
+	if strings.HasPrefix(endpoint, "operations/") {
+		endPointURL = fmt.Sprintf("%s/%s", geminiCLIEndpoint, endpoint)
+	}
+
+	var reader io.Reader
+	if body != nil {
+		rawBody, errMarshal := json.Marshal(body)
+		if errMarshal != nil {
+			return fmt.Errorf("marshal request body: %w", errMarshal)
+		}
+		reader = bytes.NewReader(rawBody)
+	}
+
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodPost, endPointURL, reader)
+	if errRequest != nil {
+		return fmt.Errorf("create request: %w", errRequest)
+	}
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("User-Agent", geminiCLIUserAgent)
+	req.Header.Set("X-Goog-Api-Client", geminiCLIApiClient)
+	req.Header.Set("Client-Metadata", geminiCLIClientMetadata)
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return fmt.Errorf("execute request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return fmt.Errorf("api request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	if result == nil {
+		_, _ = io.Copy(io.Discard, resp.Body)
+		return nil
+	}
+
+	if errDecode := json.NewDecoder(resp.Body).Decode(result); errDecode != nil {
+		return fmt.Errorf("decode response body: %w", errDecode)
+	}
+
+	return nil
+}
+
+func fetchGCPProjects(ctx context.Context, httpClient *http.Client) ([]interfaces.GCPProjectProjects, error) {
+	req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, "https://cloudresourcemanager.googleapis.com/v1/projects", nil)
+	if errRequest != nil {
+		return nil, fmt.Errorf("could not create project list request: %w", errRequest)
+	}
+
+	resp, errDo := httpClient.Do(req)
+	if errDo != nil {
+		return nil, fmt.Errorf("failed to execute project list request: %w", errDo)
+	}
+	defer func() {
+		if errClose := resp.Body.Close(); errClose != nil {
+			log.Errorf("response body close error: %v", errClose)
+		}
+	}()
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusMultipleChoices {
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		return nil, fmt.Errorf("project list request failed with status %d: %s", resp.StatusCode, strings.TrimSpace(string(bodyBytes)))
+	}
+
+	var projects interfaces.GCPProject
+	if errDecode := json.NewDecoder(resp.Body).Decode(&projects); errDecode != nil {
+		return nil, fmt.Errorf("failed to unmarshal project list: %w", errDecode)
+	}
+
+	return projects.Projects, nil
+}
+
+func checkCloudAPIIsEnabled(ctx context.Context, httpClient *http.Client, projectID string) (bool, error) {
+	serviceUsageURL := "https://serviceusage.googleapis.com"
+	requiredServices := []string{
+		"cloudaicompanion.googleapis.com",
+	}
+	for _, service := range requiredServices {
+		checkURL := fmt.Sprintf("%s/v1/projects/%s/services/%s", serviceUsageURL, projectID, service)
+		req, errRequest := http.NewRequestWithContext(ctx, http.MethodGet, checkURL, nil)
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo := httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		if resp.StatusCode == http.StatusOK {
+			bodyBytes, _ := io.ReadAll(resp.Body)
+			if gjson.GetBytes(bodyBytes, "state").String() == "ENABLED" {
+				_ = resp.Body.Close()
+				continue
+			}
+		}
+		_ = resp.Body.Close()
+
+		enableURL := fmt.Sprintf("%s/v1/projects/%s/services/%s:enable", serviceUsageURL, projectID, service)
+		req, errRequest = http.NewRequestWithContext(ctx, http.MethodPost, enableURL, strings.NewReader("{}"))
+		if errRequest != nil {
+			return false, fmt.Errorf("failed to create request: %w", errRequest)
+		}
+		req.Header.Set("Content-Type", "application/json")
+		req.Header.Set("User-Agent", geminiCLIUserAgent)
+		resp, errDo = httpClient.Do(req)
+		if errDo != nil {
+			return false, fmt.Errorf("failed to execute request: %w", errDo)
+		}
+
+		bodyBytes, _ := io.ReadAll(resp.Body)
+		errMessage := string(bodyBytes)
+		errMessageResult := gjson.GetBytes(bodyBytes, "error.message")
+		if errMessageResult.Exists() {
+			errMessage = errMessageResult.String()
+		}
+		if resp.StatusCode == http.StatusOK || resp.StatusCode == http.StatusCreated {
+			_ = resp.Body.Close()
+			continue
+		} else if resp.StatusCode == http.StatusBadRequest {
+			_ = resp.Body.Close()
+			if strings.Contains(strings.ToLower(errMessage), "already enabled") {
+				continue
+			}
+		}
+		return false, fmt.Errorf("project activation required: %s", errMessage)
+	}
+	return true, nil
+}
+
 func (h *Handler) GetAuthStatus(c *gin.Context) {
 	state := c.Query("state")
 	if err, ok := oauthStatus[state]; ok {

internal/api/server.go

@@ -34,6 +34,8 @@ import (
 	log "github.com/sirupsen/logrus"
 )
 
+const oauthCallbackSuccessHTML = `<html><head><meta charset="utf-8"><title>Authentication successful</title><script>setTimeout(function(){window.close();},5000);</script></head><body><h1>Authentication successful!</h1><p>You can close this window.</p><p>This window will close automatically in 5 seconds.</p></body></html>`
+
 type serverOptionConfig struct {
 	extraMiddleware      []gin.HandlerFunc
 	engineConfigurator   func(*gin.Engine)
@@ -293,7 +295,7 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
 	s.engine.GET("/codex/callback", func(c *gin.Context) {
@@ -305,7 +307,7 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
 	s.engine.GET("/google/callback", func(c *gin.Context) {
@@ -317,7 +319,19 @@ func (s *Server) setupRoutes() {
 			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
 		}
 		c.Header("Content-Type", "text/html; charset=utf-8")
-		c.String(http.StatusOK, "<html><body><h1>Authentication successful!</h1><p>You can close this window.</p></body></html>")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
+	})
+
+	s.engine.GET("/iflow/callback", func(c *gin.Context) {
+		code := c.Query("code")
+		state := c.Query("state")
+		errStr := c.Query("error")
+		if state != "" {
+			file := fmt.Sprintf("%s/.oauth-iflow-%s.oauth", s.cfg.AuthDir, state)
+			_ = os.WriteFile(file, []byte(fmt.Sprintf(`{"code":"%s","state":"%s","error":"%s"}`, code, state, errStr)), 0o600)
+		}
+		c.Header("Content-Type", "text/html; charset=utf-8")
+		c.String(http.StatusOK, oauthCallbackSuccessHTML)
 	})
 
 	// Management routes are registered lazily by registerManagementRoutes when a secret is configured.
@@ -407,6 +421,7 @@ func (s *Server) registerManagementRoutes() {
 		mgmt.GET("/gemini-cli-auth-url", s.mgmt.RequestGeminiCLIToken)
 		mgmt.POST("/gemini-web-token", s.mgmt.CreateGeminiWebToken)
 		mgmt.GET("/qwen-auth-url", s.mgmt.RequestQwenToken)
+		mgmt.GET("/iflow-auth-url", s.mgmt.RequestIFlowToken)
 		mgmt.GET("/get-auth-status", s.mgmt.GetAuthStatus)
 	}
 }

internal/auth/iflow/iflow_auth.go

@@ -0,0 +1,275 @@
+package iflow
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	log "github.com/sirupsen/logrus"
+)
+
+const (
+	// OAuth endpoints and client metadata are derived from the reference Python implementation.
+	iFlowOAuthTokenEndpoint     = "https://iflow.cn/oauth/token"
+	iFlowOAuthAuthorizeEndpoint = "https://iflow.cn/oauth"
+	iFlowUserInfoEndpoint       = "https://iflow.cn/api/oauth/getUserInfo"
+	iFlowSuccessRedirectURL     = "https://iflow.cn/oauth/success"
+
+	// Client credentials provided by iFlow for the Code Assist integration.
+	iFlowOAuthClientID     = "10009311001"
+	iFlowOAuthClientSecret = "4Z3YjXycVsQvyGF1etiNlIBB4RsqSDtW"
+)
+
+// DefaultAPIBaseURL is the canonical chat completions endpoint.
+const DefaultAPIBaseURL = "https://apis.iflow.cn/v1"
+
+// SuccessRedirectURL is exposed for consumers needing the official success page.
+const SuccessRedirectURL = iFlowSuccessRedirectURL
+
+// CallbackPort defines the local port used for OAuth callbacks.
+const CallbackPort = 11451
+
+// IFlowAuth encapsulates the HTTP client helpers for the OAuth flow.
+type IFlowAuth struct {
+	httpClient *http.Client
+}
+
+// NewIFlowAuth constructs a new IFlowAuth with proxy-aware transport.
+func NewIFlowAuth(cfg *config.Config) *IFlowAuth {
+	client := &http.Client{Timeout: 30 * time.Second}
+	return &IFlowAuth{httpClient: util.SetProxy(&cfg.SDKConfig, client)}
+}
+
+// AuthorizationURL builds the authorization URL and matching redirect URI.
+func (ia *IFlowAuth) AuthorizationURL(state string, port int) (authURL, redirectURI string) {
+	redirectURI = fmt.Sprintf("http://localhost:%d/oauth2callback", port)
+	values := url.Values{}
+	values.Set("loginMethod", "phone")
+	values.Set("type", "phone")
+	values.Set("redirect", redirectURI)
+	values.Set("state", state)
+	values.Set("client_id", iFlowOAuthClientID)
+	authURL = fmt.Sprintf("%s?%s", iFlowOAuthAuthorizeEndpoint, values.Encode())
+	return authURL, redirectURI
+}
+
+// ExchangeCodeForTokens exchanges an authorization code for access and refresh tokens.
+func (ia *IFlowAuth) ExchangeCodeForTokens(ctx context.Context, code, redirectURI string) (*IFlowTokenData, error) {
+	form := url.Values{}
+	form.Set("grant_type", "authorization_code")
+	form.Set("code", code)
+	form.Set("redirect_uri", redirectURI)
+	form.Set("client_id", iFlowOAuthClientID)
+	form.Set("client_secret", iFlowOAuthClientSecret)
+
+	req, err := ia.newTokenRequest(ctx, form)
+	if err != nil {
+		return nil, err
+	}
+
+	return ia.doTokenRequest(ctx, req)
+}
+
+// RefreshTokens exchanges a refresh token for a new access token.
+func (ia *IFlowAuth) RefreshTokens(ctx context.Context, refreshToken string) (*IFlowTokenData, error) {
+	form := url.Values{}
+	form.Set("grant_type", "refresh_token")
+	form.Set("refresh_token", refreshToken)
+	form.Set("client_id", iFlowOAuthClientID)
+	form.Set("client_secret", iFlowOAuthClientSecret)
+
+	req, err := ia.newTokenRequest(ctx, form)
+	if err != nil {
+		return nil, err
+	}
+
+	return ia.doTokenRequest(ctx, req)
+}
+
+func (ia *IFlowAuth) newTokenRequest(ctx context.Context, form url.Values) (*http.Request, error) {
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, iFlowOAuthTokenEndpoint, strings.NewReader(form.Encode()))
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: create request failed: %w", err)
+	}
+
+	basic := base64.StdEncoding.EncodeToString([]byte(iFlowOAuthClientID + ":" + iFlowOAuthClientSecret))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.Header.Set("Accept", "application/json")
+	req.Header.Set("Authorization", "Basic "+basic)
+	return req, nil
+}
+
+func (ia *IFlowAuth) doTokenRequest(ctx context.Context, req *http.Request) (*IFlowTokenData, error) {
+	resp, err := ia.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("iflow token: read response failed: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		log.Debugf("iflow token request failed: status=%d body=%s", resp.StatusCode, string(body))
+		return nil, fmt.Errorf("iflow token: %d %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var tokenResp IFlowTokenResponse
+	if err = json.Unmarshal(body, &tokenResp); err != nil {
+		return nil, fmt.Errorf("iflow token: decode response failed: %w", err)
+	}
+
+	data := &IFlowTokenData{
+		AccessToken:  tokenResp.AccessToken,
+		RefreshToken: tokenResp.RefreshToken,
+		TokenType:    tokenResp.TokenType,
+		Scope:        tokenResp.Scope,
+		Expire:       time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second).Format(time.RFC3339),
+	}
+
+	if tokenResp.AccessToken == "" {
+		return nil, fmt.Errorf("iflow token: missing access token in response")
+	}
+
+	info, errAPI := ia.FetchUserInfo(ctx, tokenResp.AccessToken)
+	if errAPI != nil {
+		return nil, fmt.Errorf("iflow token: fetch user info failed: %w", errAPI)
+	}
+	if strings.TrimSpace(info.APIKey) == "" {
+		return nil, fmt.Errorf("iflow token: empty api key returned")
+	}
+	email := strings.TrimSpace(info.Email)
+	if email == "" {
+		email = strings.TrimSpace(info.Phone)
+	}
+	if email == "" {
+		return nil, fmt.Errorf("iflow token: missing account email/phone in user info")
+	}
+	data.APIKey = info.APIKey
+	data.Email = email
+
+	return data, nil
+}
+
+// FetchUserInfo retrieves account metadata (including API key) for the provided access token.
+func (ia *IFlowAuth) FetchUserInfo(ctx context.Context, accessToken string) (*userInfoData, error) {
+	if strings.TrimSpace(accessToken) == "" {
+		return nil, fmt.Errorf("iflow api key: access token is empty")
+	}
+
+	endpoint := fmt.Sprintf("%s?accessToken=%s", iFlowUserInfoEndpoint, url.QueryEscape(accessToken))
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: create request failed: %w", err)
+	}
+	req.Header.Set("Accept", "application/json")
+
+	resp, err := ia.httpClient.Do(req)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: request failed: %w", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return nil, fmt.Errorf("iflow api key: read response failed: %w", err)
+	}
+
+	if resp.StatusCode != http.StatusOK {
+		log.Debugf("iflow api key failed: status=%d body=%s", resp.StatusCode, string(body))
+		return nil, fmt.Errorf("iflow api key: %d %s", resp.StatusCode, strings.TrimSpace(string(body)))
+	}
+
+	var result userInfoResponse
+	if err = json.Unmarshal(body, &result); err != nil {
+		return nil, fmt.Errorf("iflow api key: decode body failed: %w", err)
+	}
+
+	if !result.Success {
+		return nil, fmt.Errorf("iflow api key: request not successful")
+	}
+
+	if result.Data.APIKey == "" {
+		return nil, fmt.Errorf("iflow api key: missing api key in response")
+	}
+
+	return &result.Data, nil
+}
+
+// CreateTokenStorage converts token data into persistence storage.
+func (ia *IFlowAuth) CreateTokenStorage(data *IFlowTokenData) *IFlowTokenStorage {
+	if data == nil {
+		return nil
+	}
+	return &IFlowTokenStorage{
+		AccessToken:  data.AccessToken,
+		RefreshToken: data.RefreshToken,
+		LastRefresh:  time.Now().Format(time.RFC3339),
+		Expire:       data.Expire,
+		APIKey:       data.APIKey,
+		Email:        data.Email,
+		TokenType:    data.TokenType,
+		Scope:        data.Scope,
+	}
+}
+
+// UpdateTokenStorage updates the persisted token storage with latest token data.
+func (ia *IFlowAuth) UpdateTokenStorage(storage *IFlowTokenStorage, data *IFlowTokenData) {
+	if storage == nil || data == nil {
+		return
+	}
+	storage.AccessToken = data.AccessToken
+	storage.RefreshToken = data.RefreshToken
+	storage.LastRefresh = time.Now().Format(time.RFC3339)
+	storage.Expire = data.Expire
+	if data.APIKey != "" {
+		storage.APIKey = data.APIKey
+	}
+	if data.Email != "" {
+		storage.Email = data.Email
+	}
+	storage.TokenType = data.TokenType
+	storage.Scope = data.Scope
+}
+
+// IFlowTokenResponse models the OAuth token endpoint response.
+type IFlowTokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	TokenType    string `json:"token_type"`
+	Scope        string `json:"scope"`
+}
+
+// IFlowTokenData captures processed token details.
+type IFlowTokenData struct {
+	AccessToken  string
+	RefreshToken string
+	TokenType    string
+	Scope        string
+	Expire       string
+	APIKey       string
+	Email        string
+}
+
+// userInfoResponse represents the structure returned by the user info endpoint.
+type userInfoResponse struct {
+	Success bool         `json:"success"`
+	Data    userInfoData `json:"data"`
+}
+
+type userInfoData struct {
+	APIKey string `json:"apiKey"`
+	Email  string `json:"email"`
+	Phone  string `json:"phone"`
+}

internal/auth/iflow/iflow_token.go

@@ -0,0 +1,43 @@
+package iflow
+
+import (
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
+)
+
+// IFlowTokenStorage persists iFlow OAuth credentials alongside the derived API key.
+type IFlowTokenStorage struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	LastRefresh  string `json:"last_refresh"`
+	Expire       string `json:"expired"`
+	APIKey       string `json:"api_key"`
+	Email        string `json:"email"`
+	TokenType    string `json:"token_type"`
+	Scope        string `json:"scope"`
+	Type         string `json:"type"`
+}
+
+// SaveTokenToFile serialises the token storage to disk.
+func (ts *IFlowTokenStorage) SaveTokenToFile(authFilePath string) error {
+	misc.LogSavingCredentials(authFilePath)
+	ts.Type = "iflow"
+	if err := os.MkdirAll(filepath.Dir(authFilePath), 0o700); err != nil {
+		return fmt.Errorf("iflow token: create directory failed: %w", err)
+	}
+
+	f, err := os.Create(authFilePath)
+	if err != nil {
+		return fmt.Errorf("iflow token: create file failed: %w", err)
+	}
+	defer func() { _ = f.Close() }()
+
+	if err = json.NewEncoder(f).Encode(ts); err != nil {
+		return fmt.Errorf("iflow token: encode token failed: %w", err)
+	}
+	return nil
+}

internal/auth/iflow/oauth_server.go

@@ -0,0 +1,143 @@
+package iflow
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	log "github.com/sirupsen/logrus"
+)
+
+const errorRedirectURL = "https://iflow.cn/oauth/error"
+
+// OAuthResult captures the outcome of the local OAuth callback.
+type OAuthResult struct {
+	Code  string
+	State string
+	Error string
+}
+
+// OAuthServer provides a minimal HTTP server for handling the iFlow OAuth callback.
+type OAuthServer struct {
+	server  *http.Server
+	port    int
+	result  chan *OAuthResult
+	errChan chan error
+	mu      sync.Mutex
+	running bool
+}
+
+// NewOAuthServer constructs a new OAuthServer bound to the provided port.
+func NewOAuthServer(port int) *OAuthServer {
+	return &OAuthServer{
+		port:    port,
+		result:  make(chan *OAuthResult, 1),
+		errChan: make(chan error, 1),
+	}
+}
+
+// Start launches the callback listener.
+func (s *OAuthServer) Start() error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if s.running {
+		return fmt.Errorf("iflow oauth server already running")
+	}
+	if !s.isPortAvailable() {
+		return fmt.Errorf("port %d is already in use", s.port)
+	}
+
+	mux := http.NewServeMux()
+	mux.HandleFunc("/oauth2callback", s.handleCallback)
+
+	s.server = &http.Server{
+		Addr:         fmt.Sprintf(":%d", s.port),
+		Handler:      mux,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 10 * time.Second,
+	}
+
+	s.running = true
+
+	go func() {
+		if err := s.server.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+			s.errChan <- err
+		}
+	}()
+
+	time.Sleep(100 * time.Millisecond)
+	return nil
+}
+
+// Stop gracefully terminates the callback listener.
+func (s *OAuthServer) Stop(ctx context.Context) error {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if !s.running || s.server == nil {
+		return nil
+	}
+	defer func() {
+		s.running = false
+		s.server = nil
+	}()
+	return s.server.Shutdown(ctx)
+}
+
+// WaitForCallback blocks until a callback result, server error, or timeout occurs.
+func (s *OAuthServer) WaitForCallback(timeout time.Duration) (*OAuthResult, error) {
+	select {
+	case res := <-s.result:
+		return res, nil
+	case err := <-s.errChan:
+		return nil, err
+	case <-time.After(timeout):
+		return nil, fmt.Errorf("timeout waiting for OAuth callback")
+	}
+}
+
+func (s *OAuthServer) handleCallback(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	query := r.URL.Query()
+	if errParam := strings.TrimSpace(query.Get("error")); errParam != "" {
+		s.sendResult(&OAuthResult{Error: errParam})
+		http.Redirect(w, r, errorRedirectURL, http.StatusFound)
+		return
+	}
+
+	code := strings.TrimSpace(query.Get("code"))
+	if code == "" {
+		s.sendResult(&OAuthResult{Error: "missing_code"})
+		http.Redirect(w, r, errorRedirectURL, http.StatusFound)
+		return
+	}
+
+	state := query.Get("state")
+	s.sendResult(&OAuthResult{Code: code, State: state})
+	http.Redirect(w, r, SuccessRedirectURL, http.StatusFound)
+}
+
+func (s *OAuthServer) sendResult(res *OAuthResult) {
+	select {
+	case s.result <- res:
+	default:
+		log.Debug("iflow oauth result channel full, dropping result")
+	}
+}
+
+func (s *OAuthServer) isPortAvailable() bool {
+	addr := fmt.Sprintf(":%d", s.port)
+	listener, err := net.Listen("tcp", addr)
+	if err != nil {
+		return false
+	}
+	_ = listener.Close()
+	return true
+}

internal/cmd/auth_manager.go

@@ -17,6 +17,7 @@ func newAuthManager() *sdkAuth.Manager {
 		sdkAuth.NewCodexAuthenticator(),
 		sdkAuth.NewClaudeAuthenticator(),
 		sdkAuth.NewQwenAuthenticator(),
+		sdkAuth.NewIFlowAuthenticator(),
 	)
 	return manager
 }

internal/cmd/iflow_login.go

@@ -0,0 +1,54 @@
+package cmd
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	sdkAuth "github.com/router-for-me/CLIProxyAPI/v6/sdk/auth"
+	log "github.com/sirupsen/logrus"
+)
+
+// DoIFlowLogin performs the iFlow OAuth login via the shared authentication manager.
+func DoIFlowLogin(cfg *config.Config, options *LoginOptions) {
+	if options == nil {
+		options = &LoginOptions{}
+	}
+
+	manager := newAuthManager()
+
+	promptFn := options.Prompt
+	if promptFn == nil {
+		promptFn = func(prompt string) (string, error) {
+			fmt.Println()
+			fmt.Println(prompt)
+			var value string
+			_, err := fmt.Scanln(&value)
+			return value, err
+		}
+	}
+
+	authOpts := &sdkAuth.LoginOptions{
+		NoBrowser: options.NoBrowser,
+		Metadata:  map[string]string{},
+		Prompt:    promptFn,
+	}
+
+	_, savedPath, err := manager.Login(context.Background(), "iflow", cfg, authOpts)
+	if err != nil {
+		var emailErr *sdkAuth.EmailRequiredError
+		if errors.As(err, &emailErr) {
+			log.Error(emailErr.Error())
+			return
+		}
+		fmt.Printf("iFlow authentication failed: %v\n", err)
+		return
+	}
+
+	if savedPath != "" {
+		fmt.Printf("Authentication saved to %s\n", savedPath)
+	}
+
+	fmt.Println("iFlow authentication successful!")
+}

internal/registry/model_definitions.go

@@ -152,6 +152,20 @@ func GetGeminiCLIModels() []*ModelInfo {
 			OutputTokenLimit:           65536,
 			SupportedGenerationMethods: []string{"generateContent", "countTokens", "createCachedContent", "batchGenerateContent"},
 		},
+		{
+			ID:                         "gemini-2.5-flash-image-preview",
+			Object:                     "model",
+			Created:                    time.Now().Unix(),
+			OwnedBy:                    "google",
+			Type:                       "gemini",
+			Name:                       "models/gemini-2.5-flash-image-preview",
+			Version:                    "2.5",
+			DisplayName:                "Gemini 2.5 Flash Image Preview",
+			Description:                "State-of-the-art image generation and editing model.",
+			InputTokenLimit:            1048576,
+			OutputTokenLimit:           8192,
+			SupportedGenerationMethods: []string{"generateContent", "countTokens", "createCachedContent", "batchGenerateContent"},
+		},
 	}
 }
 
@@ -322,3 +336,45 @@ func GetQwenModels() []*ModelInfo {
 		},
 	}
 }
+
+// GetIFlowModels returns supported models for iFlow OAuth accounts.
+
+func GetIFlowModels() []*ModelInfo {
+	created := time.Now().Unix()
+	entries := []struct {
+		ID          string
+		DisplayName string
+		Description string
+	}{
+		{ID: "tstars2.0", DisplayName: "TStars-2.0", Description: "iFlow TStars-2.0 multimodal assistant"},
+		{ID: "qwen3-coder-plus", DisplayName: "Qwen3-Coder-Plus", Description: "Qwen3 Coder Plus code generation"},
+		{ID: "qwen3-coder", DisplayName: "Qwen3-Coder-480B-A35B", Description: "Qwen3 Coder 480B A35B"},
+		{ID: "qwen3-max", DisplayName: "Qwen3-Max", Description: "Qwen3 flagship model"},
+		{ID: "qwen3-vl-plus", DisplayName: "Qwen3-VL-Plus", Description: "Qwen3 multimodal vision-language"},
+		{ID: "qwen3-max-preview", DisplayName: "Qwen3-Max-Preview", Description: "Qwen3 Max preview build"},
+		{ID: "kimi-k2-0905", DisplayName: "Kimi-K2-Instruct-0905", Description: "Moonshot Kimi K2 instruct 0905"},
+		{ID: "glm-4.5", DisplayName: "GLM-4.5", Description: "Zhipu GLM 4.5 general model"},
+		{ID: "kimi-k2", DisplayName: "Kimi-K2", Description: "Moonshot Kimi K2 general model"},
+		{ID: "deepseek-v3.2", DisplayName: "DeepSeek-V3.2-Exp", Description: "DeepSeek V3.2 experimental"},
+		{ID: "deepseek-v3.1", DisplayName: "DeepSeek-V3.1-Terminus", Description: "DeepSeek V3.1 Terminus"},
+		{ID: "deepseek-r1", DisplayName: "DeepSeek-R1", Description: "DeepSeek reasoning model R1"},
+		{ID: "deepseek-v3", DisplayName: "DeepSeek-V3-671B", Description: "DeepSeek V3 671B"},
+		{ID: "qwen3-32b", DisplayName: "Qwen3-32B", Description: "Qwen3 32B"},
+		{ID: "qwen3-235b-a22b-thinking-2507", DisplayName: "Qwen3-235B-A22B-Thinking", Description: "Qwen3 235B A22B Thinking (2507)"},
+		{ID: "qwen3-235b-a22b-instruct", DisplayName: "Qwen3-235B-A22B-Instruct", Description: "Qwen3 235B A22B Instruct"},
+		{ID: "qwen3-235b", DisplayName: "Qwen3-235B-A22B", Description: "Qwen3 235B A22B"},
+	}
+	models := make([]*ModelInfo, 0, len(entries))
+	for _, entry := range entries {
+		models = append(models, &ModelInfo{
+			ID:          entry.ID,
+			Object:      "model",
+			Created:     created,
+			OwnedBy:     "iflow",
+			Type:        "iflow",
+			DisplayName: entry.DisplayName,
+			Description: entry.Description,
+		})
+	}
+	return models
+}

internal/runtime/executor/claude_executor.go

@@ -144,8 +144,8 @@ func (e *ClaudeExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 1024*1024)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/codex_executor.go

@@ -189,8 +189,8 @@ func (e *CodexExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Au
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 1024*1024)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/gemini_cli_executor.go

@@ -212,8 +212,8 @@ func (e *GeminiCLIExecutor) ExecuteStream(ctx context.Context, auth *cliproxyaut
 			defer func() { _ = resp.Body.Close() }()
 			if opts.Alt == "" {
 				scanner := bufio.NewScanner(resp.Body)
-				buf := make([]byte, 1024*1024)
+				buf := make([]byte, 20_971_520)
-				scanner.Buffer(buf, 1024*1024)
+				scanner.Buffer(buf, 20_971_520)
 				var param any
 				for scanner.Scan() {
 					line := scanner.Bytes()

internal/runtime/executor/gemini_executor.go

@@ -173,8 +173,8 @@ func (e *GeminiExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.A
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 1024*1024)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/iflow_executor.go

@@ -0,0 +1,261 @@
+package executor
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	iflowauth "github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	cliproxyauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	cliproxyexecutor "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/executor"
+	sdktranslator "github.com/router-for-me/CLIProxyAPI/v6/sdk/translator"
+	log "github.com/sirupsen/logrus"
+	"github.com/tidwall/gjson"
+	"github.com/tidwall/sjson"
+)
+
+const (
+	iflowDefaultEndpoint = "/chat/completions"
+	iflowUserAgent       = "iFlow-Cli"
+)
+
+// IFlowExecutor executes OpenAI-compatible chat completions against the iFlow API using API keys derived from OAuth.
+type IFlowExecutor struct {
+	cfg *config.Config
+}
+
+// NewIFlowExecutor constructs a new executor instance.
+func NewIFlowExecutor(cfg *config.Config) *IFlowExecutor { return &IFlowExecutor{cfg: cfg} }
+
+// Identifier returns the provider key.
+func (e *IFlowExecutor) Identifier() string { return "iflow" }
+
+// PrepareRequest implements ProviderExecutor but requires no preprocessing.
+func (e *IFlowExecutor) PrepareRequest(_ *http.Request, _ *cliproxyauth.Auth) error { return nil }
+
+// Execute performs a non-streaming chat completion request.
+func (e *IFlowExecutor) Execute(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	apiKey, baseURL := iflowCreds(auth)
+	if strings.TrimSpace(apiKey) == "" {
+		return cliproxyexecutor.Response{}, fmt.Errorf("iflow executor: missing api key")
+	}
+	if baseURL == "" {
+		baseURL = iflowauth.DefaultAPIBaseURL
+	}
+
+	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
+
+	from := opts.SourceFormat
+	to := sdktranslator.FromString("openai")
+	body := sdktranslator.TranslateRequest(from, to, req.Model, bytes.Clone(req.Payload), false)
+
+	endpoint := strings.TrimSuffix(baseURL, "/") + iflowDefaultEndpoint
+	recordAPIRequest(ctx, e.cfg, body)
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(body))
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	applyIFlowHeaders(httpReq, apiKey, false)
+
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	defer func() { _ = resp.Body.Close() }()
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		b, _ := io.ReadAll(resp.Body)
+		appendAPIResponseChunk(ctx, e.cfg, b)
+		log.Debugf("iflow request error: status %d body %s", resp.StatusCode, string(b))
+		return cliproxyexecutor.Response{}, statusErr{code: resp.StatusCode, msg: string(b)}
+	}
+
+	data, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return cliproxyexecutor.Response{}, err
+	}
+	appendAPIResponseChunk(ctx, e.cfg, data)
+	reporter.publish(ctx, parseOpenAIUsage(data))
+
+	var param any
+	out := sdktranslator.TranslateNonStream(ctx, to, from, req.Model, bytes.Clone(opts.OriginalRequest), body, data, &param)
+	return cliproxyexecutor.Response{Payload: []byte(out)}, nil
+}
+
+// ExecuteStream performs a streaming chat completion request.
+func (e *IFlowExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Auth, req cliproxyexecutor.Request, opts cliproxyexecutor.Options) (<-chan cliproxyexecutor.StreamChunk, error) {
+	apiKey, baseURL := iflowCreds(auth)
+	if strings.TrimSpace(apiKey) == "" {
+		return nil, fmt.Errorf("iflow executor: missing api key")
+	}
+	if baseURL == "" {
+		baseURL = iflowauth.DefaultAPIBaseURL
+	}
+
+	reporter := newUsageReporter(ctx, e.Identifier(), req.Model, auth)
+
+	from := opts.SourceFormat
+	to := sdktranslator.FromString("openai")
+	body := sdktranslator.TranslateRequest(from, to, req.Model, bytes.Clone(req.Payload), true)
+
+	// Ensure tools array exists to avoid provider quirks similar to Qwen's behaviour.
+	toolsResult := gjson.GetBytes(body, "tools")
+	if toolsResult.Exists() && toolsResult.IsArray() && len(toolsResult.Array()) == 0 {
+		body = ensureToolsArray(body)
+	}
+
+	endpoint := strings.TrimSuffix(baseURL, "/") + iflowDefaultEndpoint
+	recordAPIRequest(ctx, e.cfg, body)
+
+	httpReq, err := http.NewRequestWithContext(ctx, http.MethodPost, endpoint, bytes.NewReader(body))
+	if err != nil {
+		return nil, err
+	}
+	applyIFlowHeaders(httpReq, apiKey, true)
+
+	httpClient := newProxyAwareHTTPClient(ctx, e.cfg, auth, 0)
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		return nil, err
+	}
+
+	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
+		defer func() { _ = resp.Body.Close() }()
+		b, _ := io.ReadAll(resp.Body)
+		appendAPIResponseChunk(ctx, e.cfg, b)
+		log.Debugf("iflow streaming error: status %d body %s", resp.StatusCode, string(b))
+		return nil, statusErr{code: resp.StatusCode, msg: string(b)}
+	}
+
+	out := make(chan cliproxyexecutor.StreamChunk)
+	go func() {
+		defer close(out)
+		defer func() { _ = resp.Body.Close() }()
+
+		scanner := bufio.NewScanner(resp.Body)
+		buf := make([]byte, 20_971_520)
+		scanner.Buffer(buf, 20_971_520)
+		var param any
+		for scanner.Scan() {
+			line := scanner.Bytes()
+			appendAPIResponseChunk(ctx, e.cfg, line)
+			if detail, ok := parseOpenAIStreamUsage(line); ok {
+				reporter.publish(ctx, detail)
+			}
+			chunks := sdktranslator.TranslateStream(ctx, to, from, req.Model, bytes.Clone(opts.OriginalRequest), body, bytes.Clone(line), &param)
+			for i := range chunks {
+				out <- cliproxyexecutor.StreamChunk{Payload: []byte(chunks[i])}
+			}
+		}
+		if err := scanner.Err(); err != nil {
+			out <- cliproxyexecutor.StreamChunk{Err: err}
+		}
+	}()
+
+	return out, nil
+}
+
+// CountTokens is not implemented for iFlow.
+func (e *IFlowExecutor) CountTokens(context.Context, *cliproxyauth.Auth, cliproxyexecutor.Request, cliproxyexecutor.Options) (cliproxyexecutor.Response, error) {
+	return cliproxyexecutor.Response{Payload: nil}, fmt.Errorf("not implemented")
+}
+
+// Refresh refreshes OAuth tokens and updates the stored API key.
+func (e *IFlowExecutor) Refresh(ctx context.Context, auth *cliproxyauth.Auth) (*cliproxyauth.Auth, error) {
+	log.Debugf("iflow executor: refresh called")
+	if auth == nil {
+		return nil, fmt.Errorf("iflow executor: auth is nil")
+	}
+
+	refreshToken := ""
+	if auth.Metadata != nil {
+		if v, ok := auth.Metadata["refresh_token"].(string); ok {
+			refreshToken = strings.TrimSpace(v)
+		}
+	}
+	if refreshToken == "" {
+		return auth, nil
+	}
+
+	svc := iflowauth.NewIFlowAuth(e.cfg)
+	tokenData, err := svc.RefreshTokens(ctx, refreshToken)
+	if err != nil {
+		return nil, err
+	}
+
+	if auth.Metadata == nil {
+		auth.Metadata = make(map[string]any)
+	}
+	auth.Metadata["access_token"] = tokenData.AccessToken
+	if tokenData.RefreshToken != "" {
+		auth.Metadata["refresh_token"] = tokenData.RefreshToken
+	}
+	if tokenData.APIKey != "" {
+		auth.Metadata["api_key"] = tokenData.APIKey
+	}
+	auth.Metadata["expired"] = tokenData.Expire
+	auth.Metadata["type"] = "iflow"
+	auth.Metadata["last_refresh"] = time.Now().Format(time.RFC3339)
+
+	if auth.Attributes == nil {
+		auth.Attributes = make(map[string]string)
+	}
+	if tokenData.APIKey != "" {
+		auth.Attributes["api_key"] = tokenData.APIKey
+	}
+
+	return auth, nil
+}
+
+func applyIFlowHeaders(r *http.Request, apiKey string, stream bool) {
+	r.Header.Set("Content-Type", "application/json")
+	r.Header.Set("Authorization", "Bearer "+apiKey)
+	r.Header.Set("User-Agent", iflowUserAgent)
+	if stream {
+		r.Header.Set("Accept", "text/event-stream")
+	} else {
+		r.Header.Set("Accept", "application/json")
+	}
+}
+
+func iflowCreds(a *cliproxyauth.Auth) (apiKey, baseURL string) {
+	if a == nil {
+		return "", ""
+	}
+	if a.Attributes != nil {
+		if v := strings.TrimSpace(a.Attributes["api_key"]); v != "" {
+			apiKey = v
+		}
+		if v := strings.TrimSpace(a.Attributes["base_url"]); v != "" {
+			baseURL = v
+		}
+	}
+	if apiKey == "" && a.Metadata != nil {
+		if v, ok := a.Metadata["api_key"].(string); ok {
+			apiKey = strings.TrimSpace(v)
+		}
+	}
+	if baseURL == "" && a.Metadata != nil {
+		if v, ok := a.Metadata["base_url"].(string); ok {
+			baseURL = strings.TrimSpace(v)
+		}
+	}
+	return apiKey, baseURL
+}
+
+func ensureToolsArray(body []byte) []byte {
+	placeholder := `[{"type":"function","function":{"name":"noop","description":"Placeholder tool to stabilise streaming","parameters":{"type":"object"}}}]`
+	updated, err := sjson.SetRawBytes(body, "tools", []byte(placeholder))
+	if err != nil {
+		return body
+	}
+	return updated
+}

internal/runtime/executor/openai_compat_executor.go

@@ -133,8 +133,8 @@ func (e *OpenAICompatExecutor) ExecuteStream(ctx context.Context, auth *cliproxy
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 1024*1024)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/runtime/executor/qwen_executor.go

@@ -126,8 +126,8 @@ func (e *QwenExecutor) ExecuteStream(ctx context.Context, auth *cliproxyauth.Aut
 		defer close(out)
 		defer func() { _ = resp.Body.Close() }()
 		scanner := bufio.NewScanner(resp.Body)
-		buf := make([]byte, 1024*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 1024*1024)
+		scanner.Buffer(buf, 20_971_520)
 		var param any
 		for scanner.Scan() {
 			line := scanner.Bytes()

internal/translator/claude/gemini/claude_gemini_response.go

@@ -331,8 +331,8 @@ func ConvertClaudeResponseToGeminiNonStream(_ context.Context, modelName string,
 	streamingEvents := make([][]byte, 0)
 
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
+	buffer := make([]byte, 20_971_520)
-	scanner.Buffer(buffer, 10240*1024)
+	scanner.Buffer(buffer, 20_971_520)
 	for scanner.Scan() {
 		line := scanner.Bytes()
 		// log.Debug(string(line))

internal/translator/claude/openai/responses/claude_openai-responses_response.go

@@ -445,8 +445,8 @@ func ConvertClaudeResponseToOpenAIResponsesNonStream(_ context.Context, _ string
 		// Use a simple scanner to iterate through raw bytes
 		// Note: extremely large responses may require increasing the buffer
 		scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-		buf := make([]byte, 10240*1024)
+		buf := make([]byte, 20_971_520)
-		scanner.Buffer(buf, 10240*1024)
+		scanner.Buffer(buf, 20_971_520)
 		for scanner.Scan() {
 			line := scanner.Bytes()
 			if !bytes.HasPrefix(line, dataTag) {

internal/translator/codex/claude/codex_claude_response.go

@@ -181,8 +181,8 @@ func ConvertCodexResponseToClaude(_ context.Context, _ string, originalRequestRa
 //   - string: A Claude Code-compatible JSON response containing all message content and metadata
 func ConvertCodexResponseToClaudeNonStream(_ context.Context, _ string, originalRequestRawJSON, _ []byte, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
+	buffer := make([]byte, 20_971_520)
-	scanner.Buffer(buffer, 10240*1024)
+	scanner.Buffer(buffer, 20_971_520)
 	revNames := buildReverseMapFromClaudeOriginalShortToOriginal(originalRequestRawJSON)
 
 	for scanner.Scan() {

internal/translator/codex/gemini/codex_gemini_response.go

@@ -153,8 +153,8 @@ func ConvertCodexResponseToGemini(_ context.Context, modelName string, originalR
 //   - string: A Gemini-compatible JSON response containing all message content and metadata
 func ConvertCodexResponseToGeminiNonStream(_ context.Context, modelName string, originalRequestRawJSON, requestRawJSON, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
+	buffer := make([]byte, 20_971_520)
-	scanner.Buffer(buffer, 10240*1024)
+	scanner.Buffer(buffer, 20_971_520)
 	for scanner.Scan() {
 		line := scanner.Bytes()
 		// log.Debug(string(line))

internal/translator/codex/openai/responses/codex_openai-responses_response.go

@@ -30,8 +30,8 @@ func ConvertCodexResponseToOpenAIResponses(ctx context.Context, modelName string
 // from a non-streaming OpenAI Chat Completions response.
 func ConvertCodexResponseToOpenAIResponsesNonStream(_ context.Context, modelName string, originalRequestRawJSON, requestRawJSON, rawJSON []byte, _ *any) string {
 	scanner := bufio.NewScanner(bytes.NewReader(rawJSON))
-	buffer := make([]byte, 10240*1024)
+	buffer := make([]byte, 20_971_520)
-	scanner.Buffer(buffer, 10240*1024)
+	scanner.Buffer(buffer, 20_971_520)
 	dataTag := []byte("data:")
 	for scanner.Scan() {
 		line := scanner.Bytes()

sdk/auth/iflow.go

@@ -0,0 +1,131 @@
+package auth
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/auth/iflow"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/browser"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/config"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/misc"
+	"github.com/router-for-me/CLIProxyAPI/v6/internal/util"
+	coreauth "github.com/router-for-me/CLIProxyAPI/v6/sdk/cliproxy/auth"
+	log "github.com/sirupsen/logrus"
+)
+
+// IFlowAuthenticator implements the OAuth login flow for iFlow accounts.
+type IFlowAuthenticator struct{}
+
+// NewIFlowAuthenticator constructs a new authenticator instance.
+func NewIFlowAuthenticator() *IFlowAuthenticator { return &IFlowAuthenticator{} }
+
+// Provider returns the provider key for the authenticator.
+func (a *IFlowAuthenticator) Provider() string { return "iflow" }
+
+// RefreshLead indicates how soon before expiry a refresh should be attempted.
+func (a *IFlowAuthenticator) RefreshLead() *time.Duration {
+	d := 3 * time.Hour
+	return &d
+}
+
+// Login performs the OAuth code flow using a local callback server.
+func (a *IFlowAuthenticator) Login(ctx context.Context, cfg *config.Config, opts *LoginOptions) (*coreauth.Auth, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("cliproxy auth: configuration is required")
+	}
+	if ctx == nil {
+		ctx = context.Background()
+	}
+	if opts == nil {
+		opts = &LoginOptions{}
+	}
+
+	authSvc := iflow.NewIFlowAuth(cfg)
+
+	oauthServer := iflow.NewOAuthServer(iflow.CallbackPort)
+	if err := oauthServer.Start(); err != nil {
+		if strings.Contains(err.Error(), "already in use") {
+			return nil, fmt.Errorf("iflow authentication server port in use: %w", err)
+		}
+		return nil, fmt.Errorf("iflow authentication server failed: %w", err)
+	}
+	defer func() {
+		stopCtx, cancel := context.WithTimeout(context.Background(), 2*time.Second)
+		defer cancel()
+		if stopErr := oauthServer.Stop(stopCtx); stopErr != nil {
+			log.Warnf("iflow oauth server stop error: %v", stopErr)
+		}
+	}()
+
+	state, err := misc.GenerateRandomState()
+	if err != nil {
+		return nil, fmt.Errorf("iflow auth: failed to generate state: %w", err)
+	}
+
+	authURL, redirectURI := authSvc.AuthorizationURL(state, iflow.CallbackPort)
+
+	if !opts.NoBrowser {
+		fmt.Println("Opening browser for iFlow authentication")
+		if !browser.IsAvailable() {
+			log.Warn("No browser available; please open the URL manually")
+			util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+		} else if err = browser.OpenURL(authURL); err != nil {
+			log.Warnf("Failed to open browser automatically: %v", err)
+			util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+			fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+		}
+	} else {
+		util.PrintSSHTunnelInstructions(iflow.CallbackPort)
+		fmt.Printf("Visit the following URL to continue authentication:\n%s\n", authURL)
+	}
+
+	fmt.Println("Waiting for iFlow authentication callback...")
+
+	result, err := oauthServer.WaitForCallback(5 * time.Minute)
+	if err != nil {
+		return nil, fmt.Errorf("iflow auth: callback wait failed: %w", err)
+	}
+	if result.Error != "" {
+		return nil, fmt.Errorf("iflow auth: provider returned error %s", result.Error)
+	}
+	if result.State != state {
+		return nil, fmt.Errorf("iflow auth: state mismatch")
+	}
+
+	tokenData, err := authSvc.ExchangeCodeForTokens(ctx, result.Code, redirectURI)
+	if err != nil {
+		return nil, fmt.Errorf("iflow authentication failed: %w", err)
+	}
+
+	tokenStorage := authSvc.CreateTokenStorage(tokenData)
+
+	email := strings.TrimSpace(tokenStorage.Email)
+	if email == "" {
+		return nil, fmt.Errorf("iflow authentication failed: missing account identifier")
+	}
+
+	fileName := fmt.Sprintf("iflow-%s.json", email)
+	metadata := map[string]any{
+		"email":         email,
+		"api_key":       tokenStorage.APIKey,
+		"access_token":  tokenStorage.AccessToken,
+		"refresh_token": tokenStorage.RefreshToken,
+		"expired":       tokenStorage.Expire,
+	}
+
+	fmt.Println("iFlow authentication successful")
+
+	return &coreauth.Auth{
+		ID:       fileName,
+		Provider: a.Provider(),
+		FileName: fileName,
+		Storage:  tokenStorage,
+		Metadata: metadata,
+		Attributes: map[string]string{
+			"api_key": tokenStorage.APIKey,
+		},
+	}, nil
+}

sdk/auth/refresh_registry.go

@@ -10,6 +10,7 @@ func init() {
 	registerRefreshLead("codex", func() Authenticator { return NewCodexAuthenticator() })
 	registerRefreshLead("claude", func() Authenticator { return NewClaudeAuthenticator() })
 	registerRefreshLead("qwen", func() Authenticator { return NewQwenAuthenticator() })
+	registerRefreshLead("iflow", func() Authenticator { return NewIFlowAuthenticator() })
 	registerRefreshLead("gemini", func() Authenticator { return NewGeminiAuthenticator() })
 	registerRefreshLead("gemini-cli", func() Authenticator { return NewGeminiAuthenticator() })
 	registerRefreshLead("gemini-web", func() Authenticator { return NewGeminiWebAuthenticator() })

sdk/cliproxy/service.go

@@ -232,10 +232,40 @@ func (s *Service) applyCoreAuthRemoval(ctx context.Context, id string) {
 	}
 }
 
+func openAICompatInfoFromAuth(a *coreauth.Auth) (providerKey string, compatName string, ok bool) {
+	if a == nil {
+		return "", "", false
+	}
+	if len(a.Attributes) > 0 {
+		providerKey = strings.TrimSpace(a.Attributes["provider_key"])
+		compatName = strings.TrimSpace(a.Attributes["compat_name"])
+		if providerKey != "" || compatName != "" {
+			if providerKey == "" {
+				providerKey = compatName
+			}
+			return strings.ToLower(providerKey), compatName, true
+		}
+	}
+	if strings.EqualFold(strings.TrimSpace(a.Provider), "openai-compatibility") {
+		return "openai-compatibility", strings.TrimSpace(a.Label), true
+	}
+	return "", "", false
+}
+
 func (s *Service) ensureExecutorsForAuth(a *coreauth.Auth) {
 	if s == nil || a == nil {
 		return
 	}
+	if compatProviderKey, _, isCompat := openAICompatInfoFromAuth(a); isCompat {
+		if compatProviderKey == "" {
+			compatProviderKey = strings.ToLower(strings.TrimSpace(a.Provider))
+		}
+		if compatProviderKey == "" {
+			compatProviderKey = "openai-compatibility"
+		}
+		s.coreManager.RegisterExecutor(executor.NewOpenAICompatExecutor(compatProviderKey, s.cfg))
+		return
+	}
 	switch strings.ToLower(a.Provider) {
 	case "gemini":
 		s.coreManager.RegisterExecutor(executor.NewGeminiExecutor(s.cfg))
@@ -250,6 +280,8 @@ func (s *Service) ensureExecutorsForAuth(a *coreauth.Auth) {
 		s.coreManager.RegisterExecutor(executor.NewCodexExecutor(s.cfg))
 	case "qwen":
 		s.coreManager.RegisterExecutor(executor.NewQwenExecutor(s.cfg))
+	case "iflow":
+		s.coreManager.RegisterExecutor(executor.NewIFlowExecutor(s.cfg))
 	default:
 		providerKey := strings.ToLower(strings.TrimSpace(a.Provider))
 		if providerKey == "" {
@@ -482,6 +514,10 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		}
 	}
 	provider := strings.ToLower(strings.TrimSpace(a.Provider))
+	compatProviderKey, compatDisplayName, compatDetected := openAICompatInfoFromAuth(a)
+	if compatDetected {
+		provider = "openai-compatibility"
+	}
 	var models []*ModelInfo
 	switch provider {
 	case "gemini":
@@ -496,12 +532,23 @@ func (s *Service) registerModelsForAuth(a *coreauth.Auth) {
 		models = registry.GetOpenAIModels()
 	case "qwen":
 		models = registry.GetQwenModels()
+	case "iflow":
+		models = registry.GetIFlowModels()
 	default:
 		// Handle OpenAI-compatibility providers by name using config
 		if s.cfg != nil {
 			providerKey := provider
 			compatName := strings.TrimSpace(a.Provider)
 			isCompatAuth := false
+			if compatDetected {
+				if compatProviderKey != "" {
+					providerKey = compatProviderKey
+				}
+				if compatDisplayName != "" {
+					compatName = compatDisplayName
+				}
+				isCompatAuth = true
+			}
 			if strings.EqualFold(providerKey, "openai-compatibility") {
 				isCompatAuth = true
 				if a.Attributes != nil {